Closed Enyby closed 8 years ago
How does it work: using ptrace to connect to the process and change his memory.
Nothing special, associated with ART, the application does not comply.
The new version has been modified data handling. Previously int, but since support for x64 had to use long. I think the problem is this.
There is one more observation - if the problem would be in the native code, the logcat would record the start of the application as a native code runs only after the start of the Java code. But it is not. Hence the problem of Java code, or rather its compilation ART.
Another possible problem - in version 8.1.0 added support v4 library for usage android.support.v4.util.LongSparseArray. It add lot of code to project. May be problem here.
On version 8.1.2 I removed most of code from support.v4 jar. Only import two classes:
android.support.v4.util.ContainerHelpers
and android.support.v4.util.LongSparseArray
but problem stay same.
Then cause or by these classes or usage long
instead of int
in some cases.
Version 8.0.8 worked. But if I remove lib folder then it crashed. In lib folder located ELF executables and one libraray. But this library is hook and don't load in app. It load in target app. GameGuardian can run without libs.
Crash data:
Build: samsung/zeroltexx/zerolte:5.1.1/LMY47X/G925FXXU3COI9:user/release-keys
Hardware: universal7420
Revision: 10
Bootloader: G925FXXU3COI9
Radio: unknown
Kernel: Linux version 3.10.61-S6_UniKernel_v8-0002_rb (gl@BlueDingo) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Fri Sep 4 16:01:33 BST 2015
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/zeroltexx/zerolte:5.1.1/LMY47X/G925FXXU3COI9:user/release-keys'
Revision: '10'
ABI: 'arm64'
pid: 3670, tid: 3670, name: rsoft.climbhill >>> com.fingersoft.climbhill <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x8a900000000217
x0 0000007f7b8933c0 x1 0000007febb66510 x2 0000007f7b8933c0 x3 0000000000000000
x4 00000000771092b0 x5 0000000000000001 x6 0000000000000000 x7 0000007f7b88a1bc
x8 0000000000000000 x9 0000007f7b88a1b8 x10 0000000000000000 x11 0000000000000000
x12 0000000000000000 x13 0000000000430000 x14 0000000000550000 x15 0000000000430000
x16 0000000000000000 x17 7b8a90000000007f x18 0000007f7b7fd520 x19 0000000000000060
x20 0000000073b04020 x21 0000007f7b8a9000 x22 0000007f7b8a9090 x23 0000007febb666e0
x24 00000000712d3c79 x25 0000007febb666e0 x26 0000007febb666f0 x27 0000007febb66728
x28 0000007febb66c00 x29 0000007febb66590 x30 0000000073b2f02c
sp 0000007febb66500 pc 0000000073b04024 pstate 0000000060000000
v0 00000000000000000000000000000000 v1 00000000000000000000007f7b865560
v2 00000000000000000000000000000000 v3 00000000000000000000007febb67aa8
v4 00000000000000000000007febb67a38 v5 00000000000000000000007febb67a98
v6 00000000000000000000007febb67a28 v7 00000000000000007060993870609938
v8 00000000000000000000007febb66d18 v9 00000000000000000000000070ee41e8
v10 00000000000000000000000000000011 v11 00000000000000000000000000200045
v12 00000000000000000000007f7b8a0400 v13 00000000000000000000007f7b8a0400
v14 00000000000000000000007febb68438 v15 00000000000000000000000000080000
v16 00000000000000000000007febb67a18 v17 70609938706099387060993870609938
v18 70609938706099387060993870609938 v19 70609938706099387060993870609938
v20 70609938706099387060993870609938 v21 70609938706099387060993870609938
v22 70609938706099387060993870609938 v23 70609938706099387060993870609938
v24 70609938706099387060993870609938 v25 70609938706099387060993870609938
v26 70609938706099387060993870609938 v27 70609938706099387060993870609938
v28 70609938706099387060993870609938 v29 70609938706099387060993870609938
v30 000000000000000000000000ebad608e v31 000000000000000000000000ebad608f
fpsr 00000010 fpcr 00000000
backtrace:
#00 pc 0000000000000024 /data/dalvik-cache/arm64/system@framework@boot.oat
#01 pc 000000000002b028 /data/dalvik-cache/arm64/system@framework@boot.oat
stack:
0000007febb66400 0000007f7bc00178 [anon:libc_malloc]
0000007febb66408 0000007f00000001
0000007febb66410 0000007f7bc00410 [anon:libc_malloc]
0000007febb66418 0000007f7b4e0dfc /system/lib64/libart.so (art::gc::allocator::RosAlloc::AllocFromRun(art::Thread*, unsigned long, unsigned long*)+420)
0000007febb66420 0000000012f0e320 /dev/ashmem/dalvik-main space (deleted)
0000007febb66428 0000007f7b8cf0e8 [anon:libc_malloc]
0000007febb66430 0000007f71003558 [anon:libc_malloc]
0000007febb66438 0000000000000001
0000007febb66440 0000007f7bc001e8 [anon:libc_malloc]
0000007febb66448 0000007fffffffff
0000007febb66450 0000007f7bc001e8 [anon:libc_malloc]
0000007febb66458 0000007febb669f0 [stack]
0000007febb66460 000000000000001a
0000007febb66468 0000007f7b60d840 /system/lib64/libart.so (art::mirror::Class::GetInterfaceTypeList()+108)
0000007febb66470 0000007febb66590 [stack]
0000007febb66478 0000000073b2f014 /data/dalvik-cache/arm64/
processName:com.fingersoft.climbhill
broadcastEvent : com.fingersoft.climbhill SYSTEM_TOMBSTONE
Very odd. I only remove lib files and all start crashes. But libs not necessary to start app. Apk without libs started on any device or emulator. Do not work normally but started.
It is look like serious bug in xposed.
I do not know how deal with it if it not depend of my code, but depend such mysterious thing as present not necessary files.
It is very very odd.
Strange indeed. On Android 6.0, I couldn't reproduce this issue at all, neither on arm nor on arm64. Unfortunately, I have no other devices. The emulator doesn't work properly for me (due to my AMD CPU, no hardware acceleration is possible) and Genymotion is also running into SIGILL errors lately (as my CPU doesn't understand SSSE3). This will hopefully change soon, but I still need to wait for the new CPU to arrive, then I need to rebuild my PC and finally I'm also planning to set up Windows from scratch. Afterwards, I can hopefully reproduce this and find out more.
Just some things I noticed in the logs:
12-30 21:52:19.079 I/Xposed (21719): Instrumentation detected, disabling framework for com.rgames.smashywanted
12-30 21:52:19.079 I/InjectionManager(21719): Inside getClassLibPath + mLibMap{0=, 1=}
12-30 21:52:19.079 I/InjectionManager(21719): Inside getClassLibPath caller
The first line is written when Xposed detects that an app is started with instrumentation, which can cause issues with Xposed. This used to work fine, but maybe there's a bug when it comes to arm64 on Android 5.1.
The other two seem to be from the app. If "getClassLibPath" is referring to the CLASSPATH
, then this might interfere with Xposed adding a jar to this variable.
Three other things came into my mind:
/data/data/de.robv.android.xposed.installer/conf/disabled
to disable all of Xposed's hooking? That would only leave the ART modifications active, which I suspect to be the issue here./data/dalvik-cache/arm64/system@framework@boot.oat
? The next frame in the stacktrace refers to address 24, which is most likely not correct. Would be good to get a feeling what the system is doing before.Application uses Instrumentation to create a context without Activity. However, this may not be the cause of the fall without libraries.
With Classpath application does not interact at all in any way, so there is nothing to say.
As for the other questions, I redirect them to a person who has a problem. I also have no way to reproduce the bug, unfortunately.
I would like to mention one more feature. All of incidence associated with the same location.
00000217
This suggests an error handling pointer.
Here are the logs:
Build: samsung/zeroltexx/zerolte:5.1.1/LMY47X/G925FXXU3COI9:user/release-keys
Hardware: universal7420
Revision: 10
Bootloader: G925FXXU3COI9
Radio: unknown
Kernel: Linux version 3.10.61-S6_UniKernel_v8-0002_rb (gl@BlueDingo) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Fri Sep 4 16:01:33 BST 2015
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/zeroltexx/zerolte:5.1.1/LMY47X/G925FXXU3COI9:user/release-keys'
Revision: '10'
ABI: 'arm64'
pid: 21719, tid: 21719, name: es.smashywanted >>> com.rgames.smashywanted <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xa900000000217
x0 0000007f740933c0 x1 0000007fca7ffea0 x2 0000007f740933c0 x3 0000000000000000
x4 00000000771092b0 x5 0000000000000001 x6 0000000000000000 x7 0000007f7408a1bc
x8 0000000000000000 x9 0000007f7408a1b8 x10 0000000000000000 x11 0000000000000000
x12 0000000000000000 x13 0000000000430000 x14 0000000000550000 x15 0000000000430000
x16 0000000000000000 x17 740a90000000007f x18 0000007f73ffd520 x19 0000000000000060
x20 0000000073b04020 x21 0000007f740a9000 x22 0000007f740a9090 x23 0000007fca800070
x24 00000000712d3c79 x25 0000007fca800070 x26 0000007fca800080 x27 0000007fca8000b8
x28 0000007fca800590 x29 0000007fca7fff20 x30 0000000073b2f02c
sp 0000007fca7ffe90 pc 0000000073b04024 pstate 0000000060000000
v0 00000000000000000000000000000000 v1 00000000000000000000007f74065560
v2 00000000000000000000000000000000 v3 00000000000000000000007fca801438
v4 00000000000000000000000000000018 v5 00000000000000000000007fca801428
v6 00000000000000000000000000000138 v7 00000000000000007060993870609938
v8 00000000000000000000007fca8006a8 v9 00000000000000000000000070ee41e8
v10 00000000000000000000000000000011 v11 00000000000000000000000000100045
v12 00000000000000000000007f740a0400 v13 00000000000000000000007f740a0400
v14 00000000000000000000007fca801dc8 v15 00000000000000000000000000080000
v16 00000000000000000000007fca8013a8 v17 70609938706099387060993870609938
v18 70609938706099387060993870609938 v19 70609938706099387060993870609938
v20 70609938706099387060993870609938 v21 70609938706099387060993870609938
v22 70609938706099387060993870609938 v23 70609938706099387060993870609938
v24 70609938706099387060993870609938 v25 70609938706099387060993870609938
v26 70609938706099387060993870609938 v27 70609938706099387060993870609938
v28 70609938706099387060993870609938 v29 70609938706099387060993870609938
v30 000000000000000000000000ebad608e v31 000000000000000000000000ebad608f
fpsr 00000010 fpcr 00000000
backtrace:
#00 pc 0000000000000024 /data/dalvik-cache/arm64/system@framework@boot.oat
#01 pc 000000000002b028 /data/dalvik-cache/arm64/system@framework@boot.oat
stack:
0000007fca7ffd90 0000007f74400178 [anon:libc_malloc]
0000007fca7ffd98 0000007fffffffff
0000007fca7ffda0 0000007f698000c0 [anon:libc_malloc]
0000007fca7ffda8 0000007f00000001
0000007fca7ffdb0 0000007f74400410 [anon:libc_malloc]
0000007fca7ffdb8 0000007f740cf0e8 [anon:libc_malloc]
0000007fca7ffdc0 0000007f74005370 [anon:libc_malloc]
0000007fca7ffdc8 0000000000000001
0000007fca7ffdd0 0000007f69803630 [anon:libc_malloc]
0000007fca7ffdd8 0000007fffffffff
0000007fca7ffde0 0000007f69803498 [anon:libc_malloc]
0000007fca7ffde8 0000007f00000001
0000007fca7ffdf0 0000007f744001e8 [anon:libc_malloc]
0000007fca7ffdf8 0000007f73e0d840 /system/lib64/libart.so (art::mirror::Class::GetInterfaceTypeList()+108)
0000007fca7ffe00 0000007fca7fff20 [stack]
0000007fca7ffe08 0000000073b2f014 /data/dalvik-cache/arm64/system@framework@boot.oat
0000007fca7ffe10 0000000000000060
0000007fca7ffe18 0000007f73c1ab78 /system/li
processName:com.rgames.smashywanted
broadcastEvent : com.rgames.smashywanted SYSTEM_TOMBSTONE
Build: samsung/zeroltexx/zerolte:5.1.1/LMY47X/G925FXXU3COI9:user/release-keys
Hardware: universal7420
Revision: 10
Bootloader: G925FXXU3COI9
Radio: G925FXXU3COI9
Kernel: Linux version 3.10.61-S6_UniKernel_v8-0002_rb (gl@BlueDingo) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Fri Sep 4 16:01:33 BST 2015
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/zeroltexx/zerolte:5.1.1/LMY47X/G925FXXU3COI9:user/release-keys'
Revision: '10'
ABI: 'arm64'
pid: 13690, tid: 13690, name: m.cnplay.tiles2 >>> com.cnplay.tiles2 <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xca900000000217
x0 0000007f89c933c0 x1 0000007fe63a5b80 x2 0000007f89c933c0 x3 0000000000000000
x4 000000007771a1b0 x5 0000000000000001 x6 0000000000000000 x7 0000007f89c8a1bc
x8 0000000000000000 x9 0000007f89c8a1b8 x10 0000000000000000 x11 0000000000000000
x12 0000000000000000 x13 0000000000430000 x14 0000000000550000 x15 0000000000430000
x16 0000000000000000 x17 89ca90000000007f x18 0000007f89bfd520 x19 0000000000000060
x20 0000000074115020 x21 0000007f89ca9000 x22 0000007f89ca9090 x23 0000007fe63a5d50
x24 00000000718e4c79 x25 0000007fe63a5d50 x26 0000007fe63a5d60 x27 0000007fe63a5d98
x28 0000007fe63a6270 x29 0000007fe63a5c00 x30 000000007414002c
sp 0000007fe63a5b70 pc 0000000074115024 pstate 0000000060000000
v0 00000000000000000000000000000000 v1 00000000000000000000007f89c65560
v2 00000000000000000000000000000000 v3 00000000000000000000007fe63a7118
v4 00000000000000000000007fe63a70a8 v5 00000000000000000000007fe63a7108
v6 00000000000000000000007fe63a7098 v7 000000000000000070c1a93870c1a938
v8 00000000000000000000007fe63a6388 v9 000000000000000000000000714f51e8
v10 00000000000000000000000000000011 v11 00000000000000000000000000000045
v12 00000000000000000000007f89ca0400 v13 00000000000000000000007f89ca0400
v14 00000000000000000000007fe63a7aa8 v15 00000000000000000000000000080000
v16 00000000000000000000007fe63a7088 v17 70c1a93870c1a93870c1a93870c1a938
v18 70c1a93870c1a93870c1a93870c1a938 v19 70c1a93870c1a93870c1a93870c1a938
v20 70c1a93870c1a93870c1a93870c1a938 v21 70c1a93870c1a93870c1a93870c1a938
v22 70c1a93870c1a93870c1a93870c1a938 v23 70c1a93870c1a93870c1a93870c1a938
v24 70c1a93870c1a93870c1a93870c1a938 v25 70c1a93870c1a93870c1a93870c1a938
v26 70c1a93870c1a93870c1a93870c1a938 v27 70c1a93870c1a93870c1a93870c1a938
v28 70c1a93870c1a93870c1a93870c1a938 v29 70c1a93870c1a93870c1a93870c1a938
v30 000000000000000000000000ebad608e v31 000000000000000000000000ebad608f
fpsr 00000010 fpcr 00000000
backtrace:
#00 pc 0000000000000024 /data/dalvik-cache/arm64/system@framework@boot.oat
#01 pc 000000000002b028 /data/dalvik-cache/arm64/system@framework@boot.oat
stack:
0000007fe63a5a70 0000007f8a000178 [anon:libc_malloc]
0000007fe63a5a78 0000007fe63a5b68 [stack]
0000007fe63a5a80 0000007fe63a5c30 [stack]
0000007fe63a5a88 0000007f898e0dfc /system/lib64/libart.so (art::gc::allocator::RosAlloc::AllocFromRun(art::Thread*, unsigned long, unsigned long*)+420)
0000007fe63a5a90 0000000012c6f6e0 /dev/ashmem/dalvik-main space (deleted)
0000007fe63a5a98 0000007f89ccf0e8 [anon:libc_malloc]
0000007fe63a5aa0 0000007f89c05e98 [anon:libc_malloc]
0000007fe63a5aa8 0000000000000001
0000007fe63a5ab0 0000007f7f4036d8 [anon:libc_malloc]
0000007fe63a5ab8 0000007f00000001
0000007fe63a5ac0 0000007f8a0001e8 [anon:libc_malloc]
0000007fe63a5ac8 0000007fffffffff
0000007fe63a5ad0 0000007f8a0001e8 [anon:libc_malloc]
0000007fe63a5ad8 0000007f89a0d840 /system/lib64/libart.so (art::mirror::Class::GetInterfaceTypeList()+108)
0000007fe63a5ae0 0000007fe63a5c00 [stack]
0000007fe63a5ae8 0000000074140014 /data/dalvik-cach
processName:com.cnplay.tiles2
broadcastEvent : com.cnplay.tiles2 SYSTEM_TOMBSTONE
Build: samsung/nobleltezh/nobleltehk:5.1.1/LMY47X/N9200ZHU2AOKA:user/release-keys
Hardware: universal7420
Revision: 9
Bootloader: N9200ZHU2AOKA
Radio: unknown
Kernel: Linux version 3.10.61-ka-1 (Tron@ubuntu) (gcc version 4.9 20140514 (prerelease) (GCC) ) #1 SMP PREEMPT Fri Dec 11 17:50:03 CST 2015
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/nobleltezh/nobleltehk:5.1.1/LMY47X/N9200ZHU2AOKA:user/release-keys'
Revision: '9'
ABI: 'arm64'
pid: 4831, tid: 4831, name: es.smashywanted >>> com.rgames.smashywanted <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x4a600000000217
x0 0000007f8a4d6300 x1 0000007fe8eb62f0 x2 0000007f8a4d6300 x3 0000000000000000
x4 0000000076131300 x5 0000000000000001 x6 0000000000000000 x7 0000007f8a48a7bc
x8 0000000000000000 x9 0000007f8a48a7b8 x10 0000000000000000 x11 0000000000000000
x12 0000000000000000 x13 0000000000430000 x14 0000000000550000 x15 0000000000430000
x16 0000000000000000 x17 8a4a60000000007f x18 0000007f8a3fd520 x19 0000000000000060
x20 0000000072a52020 x21 0000007f8a4a6000 x22 0000007f8a4a6090 x23 0000007fe8eb64c0
x24 0000000070180c7a x25 0000007fe8eb64c0 x26 0000007fe8eb64d0 x27 0000007fe8eb6508
x28 0000007fe8eb69e0 x29 0000007fe8eb6370 x30 0000000072a7d0dc
sp 0000007fe8eb62e0 pc 0000000072a52024 pstate 0000000060000000
v0 00000000000000000000000000000000 v1 00000000000000000000007f8a465560
v2 00000000000000000000000000000000 v3 00000000000000000000007fe8eb7880
v4 00000000000000000000007fe8eb7810 v5 00000000000000000000007fe8eb7870
v6 00000000000000000000007fe8eb7800 v7 00000000000000006f491df86f491df8
v8 00000000000000000000007fe8eb6af8 v9 0000000000000000000000006fd85868
v10 00000000000000000000000000000011 v11 00000000000000000000000000000045
v12 00000000000000000000007f8a49d400 v13 00000000000000000000007f8a49d400
v14 00000000000000000000007fe8eb8218 v15 00000000000000000000000000080000
v16 00000000000000000000007fe8eb77f0 v17 6f491df86f491df86f491df86f491df8
v18 6f491df86f491df86f491df86f491df8 v19 6f491df86f491df86f491df86f491df8
v20 6f491df86f491df86f491df86f491df8 v21 6f491df86f491df86f491df86f491df8
v22 6f491df86f491df86f491df86f491df8 v23 6f491df86f491df86f491df86f491df8
v24 6f491df86f491df86f491df86f491df8 v25 6f491df86f491df86f491df86f491df8
v26 6f491df86f491df86f491df86f491df8 v27 6f491df86f491df86f491df86f491df8
v28 6f491df86f491df86f491df86f491df8 v29 6f491df86f491df86f491df86f491df8
v30 000000000000000000000000ebad608e v31 000000000000000000000000ebad608f
fpsr 00000010 fpcr 00000000
backtrace:
#00 pc 0000000000000024 /data/dalvik-cache/arm64/system@framework@boot.oat
#01 pc 000000000002b0d8 /data/dalvik-cache/arm64/system@framework@boot.oat
stack:
0000007fe8eb61e0 0000007f8a800178 [anon:libc_malloc]
0000007fe8eb61e8 0000007fffffffff
0000007fe8eb61f0 0000007f7f8007c8 [anon:libc_malloc]
0000007fe8eb61f8 0000007fffffffff
0000007fe8eb6200 0000007f7f8004f8 [anon:libc_malloc]
0000007fe8eb6208 0000007f00000001
0000007fe8eb6210 0000007f7f800690 [anon:libc_malloc]
0000007fe8eb6218 0000007f00000001
0000007fe8eb6220 0000007f7f803798 [anon:libc_malloc]
0000007fe8eb6228 00000000ffffffff
0000007fe8eb6230 0000007f7f803600 [anon:libc_malloc]
0000007fe8eb6238 0000007f00000001
0000007fe8eb6240 0000007f8a8001e8 [anon:libc_malloc]
0000007fe8eb6248 0000007fe8eb67e0 [stack]
0000007fe8eb6250 0000007fe8eb6370 [stack]
0000007fe8eb6258 0000000072a7d0c4 /data/dalvik-cache/arm64/system@framework@boot.oat
0000007fe8eb6260 0000000000000060
0000007fe8eb6268 0000007f8a019af8 /system/lib64/libart.so (art::JniMethodStart(art::Thread*))
0000007fe8eb6270
processName:com.rgames.smashywanted
broadcastEvent : com.rgames.smashywanted SYSTEM_TOMBSTONE
That doesn't necessarily mean much - after all, the execution somehow jumped to a very low memory address 0x24 from 0x2b0d8. At address 0x24, there might be any kind of instruction which accesses 0x217, but I doubt that the control flow should even get to 0x24. This might be an offset to something (vtable?), and if the object happens to be 0, it might go to this wrong address. That's why it would be interesting to know what's at 0x2b0d8.
There's a lot of guessing involved here though. Knowing answers to my three points above could help to get further information.
@rovo, sorry for writing in german
Hallo rovo, ich versuche enyby beim finden des Fehlers zu helfen. Habe die Möglichkeit das ganze an echten geräten zu testen.
Da ich weder vom coden eine Ahnung habe, noch mein schoolenglisch ausreichend ist für Diskussion bitte ich dich mir kurz zu sagen was ich genau tun muss um das zu testen
Bis /data/data/de.robv.android.xposed.installer/conf/disabled
Konnte ich dir folgen objdump musst du mir genau erklären
Zu 1. Muss die datei eine endung haben?
Wie ist die aktuellste version von xposed für s6/edge
Ist echt ärgerlich das ich xposed deisntallieren soll da ich täglich beide apps nutze
Gibt es eine Möglichkeit gameguardian auszugrenzen in den xposed zugriffen?
@geribabldi
Installiert habe ich xposed 78.1 custom build by wanam
Installer ist vom juni 3.0 alpha4
Solltest du irgendwelche logcats brauchen sag Bescheid, ich teste das
Ich hab das file jetzt wie folgt erstellt
/data/data/de.robv.android.xposed.installer/conf/disabled
Ich nehme an nun start ich mal neu
I got logcat and both oat and art files.
As I see offset 2b028
pointed to
# java.net.Authenticator$RequestorType java.net.Authenticator$RequestorType.SERVER FIELDS:0002B028 Authenticator$RequestorType_SERVER:dex_method_desc <0x1BD, 0x1BD, 0x220A>
in IDA.
@geribabldi: Genau, einfach mal diese Datei erstellen und schauen, ob sich etwas ändert. Etwas problematisch ist, dass ich Samsung gar nicht unterstütze, wie du ja selbst schon festgestellt hast.
@Enyby: Thanks. The file has an executable offset of 0x02b2a000
in oatdump, so I added that to 2b028
. At position 0x02b55028
, I found blr x20
, so this might indeed be the call that leads to the failing instruction. It's seems to be a generic JNI wrapper though, which is used by at least these methods:
22: boolean dalvik.system.VMRuntime.is64Bit() (dex_method_idx=693)
23: boolean dalvik.system.VMRuntime.isCheckJniEnabled() (dex_method_idx=697)
24: boolean dalvik.system.VMRuntime.isDebuggerActive() (dex_method_idx=698)
45: boolean java.lang.Thread.isInterrupted() (dex_method_idx=3563)
5: boolean java.lang.ref.FinalizerReference.makeCircularListIfUnenqueued() (dex_method_idx=3747)
5: boolean com.android.org.conscrypt.OpenSSLProvider.nativeCheckWhitelist() (dex_method_idx=805)
75: boolean android.content.res.AssetManager.isUpToDate() (dex_method_idx=8134)
13: boolean android.graphics.Movie.isOpaque() (dex_method_idx=11757)
36: boolean android.graphics.Paint.native_hasTextEffect() (dex_method_idx=11946)
130: boolean android.graphics.Paint.isElegantTextHeight() (dex_method_idx=11904)
32: boolean android.graphics.Region.isComplex() (dex_method_idx=12369)
33: boolean android.graphics.Region.isEmpty() (dex_method_idx=12370)
34: boolean android.graphics.Region.isRect() (dex_method_idx=12371)
40: boolean com.android.server.FMPlayerNative.getSoftMuteMode() (dex_method_idx=51007)
33: boolean com.google.android.gles_jni.EGLImpl.eglReleaseThread() (dex_method_idx=51707)
36: boolean com.google.android.gles_jni.EGLImpl.eglWaitGL() (dex_method_idx=51710)
13: boolean com.samsung.location.CellGeofenceProvider.native_init() (dex_method_idx=62005)
4: boolean android.filterfw.core.GLEnvironment.nativeActivate() (dex_method_idx=10570)
9: boolean android.filterfw.core.GLEnvironment.nativeAllocate() (dex_method_idx=10575)
10: boolean android.filterfw.core.GLEnvironment.nativeDeactivate() (dex_method_idx=10576)
11: boolean android.filterfw.core.GLEnvironment.nativeDeallocate() (dex_method_idx=10577)
13: boolean android.filterfw.core.GLEnvironment.nativeInitWithCurrentContext() (dex_method_idx=10579)
14: boolean android.filterfw.core.GLEnvironment.nativeInitWithNewContext() (dex_method_idx=10580)
15: boolean android.filterfw.core.GLEnvironment.nativeIsActive() (dex_method_idx=10581)
17: boolean android.filterfw.core.GLEnvironment.nativeIsContextActive() (dex_method_idx=10583)
20: boolean android.filterfw.core.GLEnvironment.nativeSwapBuffers() (dex_method_idx=10586)
4: boolean android.filterfw.core.GLFrame.generateNativeMipMap() (dex_method_idx=10603)
20: boolean android.filterfw.core.GLFrame.nativeDeallocate() (dex_method_idx=10633)
21: boolean android.filterfw.core.GLFrame.nativeDetachTexFromFbo() (dex_method_idx=10634)
22: boolean android.filterfw.core.GLFrame.nativeFocus() (dex_method_idx=10635)
23: boolean android.filterfw.core.GLFrame.nativeReattachTexToFbo() (dex_method_idx=10636)
24: boolean android.filterfw.core.GLFrame.nativeResetParams() (dex_method_idx=10637)
11: boolean android.filterfw.core.NativeFrame.nativeDeallocate() (dex_method_idx=10776)
2: boolean android.filterfw.core.NativeProgram.allocate() (dex_method_idx=10794)
10: boolean android.filterfw.core.NativeProgram.callNativeInit() (dex_method_idx=10802)
12: boolean android.filterfw.core.NativeProgram.callNativeReset() (dex_method_idx=10804)
14: boolean android.filterfw.core.NativeProgram.callNativeTeardown() (dex_method_idx=10806)
15: boolean android.filterfw.core.NativeProgram.deallocate() (dex_method_idx=10807)
16: boolean android.filterfw.core.NativeProgram.nativeInit() (dex_method_idx=10810)
6: boolean android.filterfw.core.ShaderProgram.beginShaderDrawing() (dex_method_idx=10917)
7: boolean android.filterfw.core.ShaderProgram.compileAndLink() (dex_method_idx=10918)
9: boolean android.filterfw.core.ShaderProgram.deallocate() (dex_method_idx=10920)
4: boolean android.filterfw.core.VertexFrame.nativeDeallocate() (dex_method_idx=11040)
59: boolean android.hardware.Camera.previewEnabled() (dex_method_idx=11828)
1: boolean android.hardware.usb.UsbRequest.native_cancel() (dex_method_idx=17151)
9: boolean android.media.JetPlayer.native_clearQueue() (dex_method_idx=21184)
10: boolean android.media.JetPlayer.native_closeJetFile() (dex_method_idx=21185)
14: boolean android.media.JetPlayer.native_pauseJet() (dex_method_idx=21189)
15: boolean android.media.JetPlayer.native_playJet() (dex_method_idx=21190)
8: boolean android.media.MediaExtractor.advance() (dex_method_idx=21578)
18: boolean android.media.MediaExtractor.hasCacheReachedEndOfStream() (dex_method_idx=21590)
106: boolean android.media.MediaPlayer.isLooping() (dex_method_idx=22077)
107: boolean android.media.MediaPlayer.isPlaying() (dex_method_idx=22079)
17: boolean android.media.audiofx.AudioEffect.native_getEnabled() (dex_method_idx=23735)
19: boolean android.media.audiofx.AudioEffect.native_hasControl() (dex_method_idx=23737)
9: boolean android.media.audiofx.Visualizer.native_getEnabled() (dex_method_idx=24019)
7: boolean android.os.BinderProxy.isBinderAlive() (dex_method_idx=33455)
9: boolean android.os.BinderProxy.pingBinder() (dex_method_idx=33457)
145: boolean com.sec.android.seccamera.SecCamera.previewEnabled() (dex_method_idx=491)
That said, I'm not 100% that the crash really happens inside one of these methods.
Another thing I noticed is that this is a Samsung ROM, are there any non-Samsung reports for this bug? My Xposed builds don't support Samsung, so maybe we should involve @wanam. The "InjectionManager" seems to be their addition as well. The last message is "Inside getClassLibPath caller", which is written by getClassLibPath(int)
, which is called by LoadedApk.getClassLoader()
. Xposed usually does some fiddeling with the classloader, but shouldn't do that when it detects instrumentation. I have no idea whether there's a strange intermediate state on Samsung ROMs in this case.
@wanam: Could you have a look at this please? It seems that you hook nativeCheckWhitelist
from the list above, what happens if that hook doesn't work? I remember you wrote something that Xposed hooks must not be disabled, otherwise the ROM won't work. Is it possible that this method has a native implementation with Samsung's libart.so that doesn't exist in AOSP (and hence in Xposed), so when it's called anyway, it crashes? Any further ideas?
@Enyby By the way, both APKs from the test.zip that you uploaded earlier worked fine for me (on Genymotion), the app could start. There was only a message about a missing library, which makes sense.
@rovo89 Here is opensslprovider.jar from TW LL : https://gist.github.com/wanam/3bf00867148a8ddda667#file-opensslprovider-java-L238
Samsung has a native implementation of "nativeCheckWhitelist", but i have no idea what's checking inside, we need to hook this method because it sets somehow fips status to true, which causes some crypto algorithms to be disabled, and this causes crashes on some paid apps certificates and any app that uses openssl algos.
So if the native hook does not work, we can still hook both methods that call "nativeCheckWhitelist": https://gist.github.com/wanam/3bf00867148a8ddda667#file-opensslprovider-java-L283 https://gist.github.com/wanam/3bf00867148a8ddda667#file-opensslprovider-java-L288
I can't test this myself, since i'm on TW MM, fortunately Samsung removed this crap on his new Android 6 builds.
@Enyby If you want to give it a try i can post a modified XposedBridge with both hooks to avoid this native hook: https://github.com/wanam/XposedBridge/blob/art/src/de/robv/android/xposed/SamsungHelper.java#L56
@rovo89
In code I use only one method from listed: java.lang.Thread.isInterrupted()
. But I used it early version before without problem.
Another two methods is very common: android.os.BinderProxy.isBinderAlive()
, android.os.BinderProxy.pingBinder()
and can be called by system code on usage any system service.
Both apk work on me (all my emulators and devices), but one crashes on target (Some Samsung device as far as I know). I can not explain why.
@wanam I can not have device to test it. But if you post this - I write about that peoples who have this problem. Maybe someone test it and help us.
@wanam I don't think that would help, as no hooks are executed when instrumentation is detected. The question is rather whether this crash could be caused by a call to the native method or if the crash for that would look differently. I'm wondering a bit where the native method would usually be implemented. Is it in their libart.so?
@Enyby Can you say something about the devices that you got reports for? Only Samsung Lollipop or others as well?
@rovo89 i think it's on their "libjavacrypto.so". I don't have a copy of it right now, but i can get it for you if need to take a look at it.
@rovo89 As far I know - only Samsung Lollipop. List of Samsung devices:
5.1.1: Galaxy Note 6 Galaxy S6 SM-G920F SM-G925F S6 Edge Note 5
5.0.x: Galaxy Grand Prime
On oat file uploaded early useed Xposed 74 bld 20150915
. May be this info can help in something.
@rovo89 I can confirm it's on "libjavacrypto.so": https://www.dropbox.com/s/pv6nunt9ydw0qkf/libjavacrypto.so?dl=0
Libs from problem device (Samsung Galaxy S6 SM-G920F), same as oat file above: https://www.sendspace.com/file/twd825 May be it can help.
OK, so the implementation of nativeCheckWhitelist()
should still be there, but I could imagine it crashes if it's not initialized properly (due to the replaced ART libraries and some hooks that might have been executed earlier). Is it possible that this happens only on arm64 devices where GameGuardian simply didn't run earlier? I.e. it didn't break things that worked before?
I have verified that hooking a native method and then disabling all hooks (like done when instrumentation is detected) works fine, it reverts to the original native implementation and doesn't crash. So there's not a general issue with hooking native methods.
I'd like to see if disabling Xposed for instrumented apps is indeed the cause of the crash. Would it be possible for you, @Enyby, to create a test build without instrumentation? I think it would just need to start, if that is possible. Otherwise, @wanam could try to disable the instrumentation detection in Xposed. I'm not sure of the consequences of that though, it has been in Xposed for more than 2.5 years (#2).
@Enyby here is a test version (same as v79.0) with instrumentation detection disabled for Samsung LL Roms: https://www.dropbox.com/sh/9tj8p2wdq1x01hp/AACJX6fbr2JL6C0HsH28wTuZa?dl=0
As I said, the previous version worked. Problems arose when the new version.
I build test version without Instrumentation. https://www.sendspace.com/file/990isf
As I said, the previous version worked.
You wrote that you added arm64 support in 8.1.0. I assume that if your app ran before on those devices, it was executed in 32-bit mode, which doesn't seem to run into these issues. Or am I missing something?
Anyway, could you please get someone to test these builds? I can't reproduce the issue myself.
App consist of two parts - Java code (independent to arch and do not use any native code) and daemon (ELF executable to needed arch. Executable, not library).
Crash caused by Java part not by daemon. Then does not matter daemon 32-bit or 64-bit.
Or so I hope. Perhaps there comes some kind of analysis of the lib file, which breaks all.
I write in three place about this test builds. May be someone test it. If I give any feedback I am immediately write about that.
There are test results. The test build of GameGuardian without Instrumentation starts.
Then problem on Instrumentation or something related.
Refine your test. The test assembly Xposed solve the problem.
@Enyby Which one?
xposed-v79.1-sdk22-arm64-custom-build-by-wanam-20160120
@wanam Just to be sure, how exactly did you disable the instrumentation test?
@rovo89 I added a condition to ignore this portion of code when it is a Samsung Rom: https://github.com/wanam/XposedBridge/blob/art/src/de/robv/android/xposed/XposedBridge.java#L159-L164
@Enyby You mean the one i posted on my previous post with instrumentation detected disabled? i tough you said it didn't work! https://www.dropbox.com/sh/9tj8p2wdq1x01hp/AACJX6fbr2JL6C0HsH28wTuZa?dl=0
Or the other build i posted on my xda thread: https://www.dropbox.com/sh/7yukadu71uopm41/AAAYD-V1WhAwBnPCWypfudNFa?dl=0
Unfortunately i did post both of them with the same files names. In the last build i reverted the 2 commits: https://github.com/wanam/android_art/commit/380f036069b422413478f6dd7862aca67965edcb https://github.com/wanam/android_art/commit/4e5d44f964e1259b7e91c5f278fc0a258e387e99
I mean file from dropbox. Firstly user try my test build gg on it but I thought he use normal gg. But later we resolve this misunderstanding and he test latest normal gg and it worked.
I do not know about xda version of test build.
Ok then it is just related to the instrumentation detection.
Enyby, im reenabled xposed today. Same crashes with official 8.1+ versions.
But the test version you have uploaded on https://m.sendspace.com/file/990isf works a little bit. The deamon still works. I can start gg, the first window (with donate, start, test button) will showing up, but if i press start, nothing happend.
The dropbox links with testversions for xposed are outdated
Try v79.1 here: http://forum.xda-developers.com/showthread.php?p=62377731
Ok, so let me summarize:
nativeCheckWhitelist()
method.false
.From my point of view, it's ok if @wanam disables the instrumentation check for Samsung ROMs as a temporary solution. This doesn't seem to be necessary on other devices, so I don't want to do this in my source tree. For the future, I will open an additional issue in the XposedBridge project to investigate whether Xposed can properly support instrumented apps. This has rather low priority for me though.
Any further comments/objections/doubts or can this issue be closed?
I think it can be closed.
Yes it can be closed. I will keep the change for Samsung roms only: https://github.com/wanam/XposedBridge/commit/75576502da6570ea4cb489998be2e7e3b19417f3
what about me bro i have mi A2 what i can do to fix it
GameGuardian started from version 8.1.0 crashed in boot.oat if Xposed installed. Link to apk: https://gameguardian.net/forum/files/file/2-gameguardian/ Link to error: https://gameguardian.net/forum/topic/7398-gathering-information-about-gg-errors/?do=findComment&comment=43852 Link to logcat: https://gameguardian.net/forum/topic/7398-gathering-information-about-gg-errors/?do=findComment&comment=43851 https://gameguardian.net/forum/topic/7398-gathering-information-about-gg-errors/?do=findComment&comment=43887 Describe problem: http://forum.xda-developers.com/xposed/unofficial-xposed-samsung-lollipop-t3180960/post64544001
The main change in version 8.1.0 - support for x64, and as a consequence, the use of data type long, instead of int. Rather, it creates problems when compiling ART.
Another logcat: https://gameguardian.net/forum/topic/7398-gathering-information-about-gg-errors/?do=findComment&comment=43930